Configuring firewalld for using barrier

Applications
1

Hi all, :wave:

I need your help for correctly configuring my firewall.

My aim is to allow barrier share my mouse and keyboard of my main PC with the laptop. Both are running Linux LIte.

I already installed barrier on both systems and it works as it should. I had to disable the SSH setting in barrier thoughā€¦
ā€¦ and I had to switch off my firewall (firewalld) to make it work. :neutral_face:
Of course I donĀ“t want to do that, so I think I have to allow port 24800, which is used by barrier, on both systems.

Here the problems starts:

My setup is this:

there are two network interfaces running:

  • enx001e101f0000 (LAN for getting internet access) # IP address: 192.168.8.102
  • wlxe4beed63ad6d (WLAN providing the hotspot access for the laptop) # IP address: 10.42.0.1

So I want to configure firewalld in a way that it allows port 24800 for use of barrier.

But: the second interface isnĀ“t even listed :thinking: :

sudo firewall-cmd --get-default-zone
public

ā€¦

sudo firewall-cmd --zone=public --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: enx001e101f0000
  sources: 
  services: dhcpv6-client ssh
  ports: 
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

ShouldnĀ“t there be two entries under ā€œinterfacesā€ :question:

Can anyone help me configure firewalld for the use of barrier?

Thank you so much in advance.

Many greettings
Rosika :slightly_smiling_face:

UPDATE:

Using firewalldĀ“s GUI got me a little further:

Here the 2nd interface is listedā€¦ with zone: nm-shared.

From here I could add a port (in my case 24800).
Would this be the correct way of doing it :question:

2

Hi Rosika,
I dont understand why you would need a firewall on the second interface which is only a link to your laptop.
Are you worried about other people accessing the hotspot?

3

Hi Neville, :wave:

well, perhaps I wasnĀ“t clear enough about what I need. Sorry.

What I want to achieve is getting barrier to work on both the main PC and the laptop without having to turn off the firewall.
So IĀ“d basically need to apply an appropriate rule so that port 24800 isnĀ“t blocked.
I hope IĀ“m right in my assessment.

I have to admit I never bothered with applying any rules to the firewall in the past. I always let it run with the default setting. :blush:
Therefore I took a look here as for configuring firewalld.

It says:

If we run the [ā€¦]command
[ sudo firewall-cmd --zone=public --list-all ]
on a laptop with an ethernet connection and a Wi-Fi card, weā€™ll see something similar, but with two interfaces.
[ā€¦] interfaces: enp3s0 wlan0 [ā€¦]

(bold by me)

But thatĀ“s not the case with me. :thinking:
ItĀ“s just the ā€œwired conenctionā€ (LAN) network interface which is shown but not the WLAN one.

Thanks and many greetings from Rosika :slightly_smiling_face:

4

Hi Rosika,
I get your point, you can only get barrier to run by turning off the firewall.
Are you sure the firewall is actually protecting the wlan interface? Maybe that is why it does not list it.
Regards
Neville

1 Like
5

I see. Well, IĀ“m not sure at all.
But if the firewall isnĀ“t protecting the WLAN interface then there shouldnĀ“t be any problems running barrier, right?

Hmm, IĀ“ll have think a bit more about it. :thinking:

Thanks so much, Neville.

Cheers from Rosika :slightly_smiling_face:

6

True, unless barrier is also trying to operate on the internet interface.
Is there any log file for barrier?

7

Good suggestion. I think there is. Thanks. IĀ“ll look into it.

Cheers from Rosika :slightly_smiling_face:

1 Like
8

I have ufw running on Pop!_OS and Ubuntu - and donā€™t have to do anything to let things talk TLS on that same port (24800) - I use Synergy (Barrier is an early fork of Synergy from when it was truly OSS) extensively, and never had an issue with it being blocked by any local firewall running on Linux or MacOS (occasionally had Windows client install fire up the firewall thingie and ask if I want to allow that port).

I only started using TLS (i.e. SSL) on Synergy recently - I thought it was an unnecessary extra load (e.g. Synergy mostly behaves pretty awfully on WiFi - much better on gigabit ethernet)ā€¦

Actually - I donā€™t have it (ufw) running on my Ubuntu 23.04 thinkpad - itā€™s installed, loaded, but inactiveā€¦

I will try it later on today and see if Synergy client still works thereā€¦

OK - ufw running and loaded on both, and Synergy can still talk on 24800ā€¦

2 Likes
9

Hi all, :wave:

@nevj :

As for the logs, I indeed found them. barrierĀ“s GUI provided them, but they werenĀ“t of much use:

Failed to connect to server: Connection refused

This is what the client had to say.
But I got I running anyway (see: below).

@daniel.m.tripp :

I had ufw on my Lubuntu systems as well. Linux Lite favours firewalld and therefore I had to do some tinkering with that one.

Thanks for the confirmation. So itĀ“s no barrier issue.

@all:

Well, I got it going in the end :wink:.

I talked to ChatGPT for some further help but couldnĀ“t learn anything new. But it was good to learn some basic firewalld -related commands anyway.

I first tried

sudo firewall-cmd --permanent --zone=public --add-port=24800/tcp
sudo firewall-cmd --reload

on the server, which seemed a logical step.

I assumed that wouldĀ“ve been enough. But it turned out I also had to do the same for the zone nm-shared.
No idea whether adding port 24800 for nm-shared woudĀ“ve been enough. Anyway, I let the settings as they are for the time being.

And now indeed it works. :smiling_face:

I had to modify the default settings only on the server side. The client seems o.k. as it is.

So for the server it now looks like this:

sudo firewall-cmd --zone=public --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: enx001e101f0000
  sources: 
  services: dhcpv6-client ssh
  ports: 24800/tcp
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

and

 sudo firewall-cmd --zone=nm-shared --list-all
nm-shared (active)
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: wlxe4beed63ad6d
  sources: 
  services: dhcp dns ssh
  ports: 24800/tcp
  protocols: icmp ipv6-icmp
  forward: no
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	rule priority="32767" reject

ā€¦ and now barrier works with firewalld active on both systems.

Thanks a lot to all of you for your help. :heart:

Many greetings :slightly_smiling_face:
Rosika

2 Likes